1. Configure client access authentication
Client access authentication is controlled by a configuration file (default name is pg_hba.conf), which is stored in the data directory of the database. hba (host-based authentication) means host-based authentication.
Background Information
GaussDB supports the following three authentication methods. Regardless of the authentication method, you need to configure the pg_hba.conf file.
- Host-based authentication : The server checks the configuration file based on the client's IP address, user name, and the database to be accessed to determine whether the user is authenticated.
- Password authentication : including encrypted password authentication for remote connection and non-encrypted password authentication for local connection.
- SSL encryption : Use VPP SSL to provide a secure connection environment between the server and the client.
- The format of the pg_hba.conf file is a record written on one line, indicating an authentication rule, blanks and comments (beginning with #) are ignored.
- Each authentication rule is composed of several fields separated by spaces and/or tabs. If the field is surrounded by quotation marks, it can contain blanks. Records cannot exist across lines.
Each record in the pg_hba.conf file can be in one of the following four formats. For the parameter description of the four formats, please refer to the configuration file reference.
local DATABASE USER METHOD [OPTIONS]
host DATABASE USER ADDRESS METHOD [OPTIONS]
hostssl DATABASE USER ADDRESS METHOD [OPTIONS]
hostnossl DATABASE USER ADDRESS METHOD [OPTIONS]
Because the system checks the records in pg_hba.conf for each connection request sequence during authentication,So the order of these records is very critical。
Therefore, the configuration recommendations for authentication rules are as follows:
- The top records have stricter connection parameters and weaker authentication methods.
- The lower records have looser connection parameters and stricter authentication methods.
Note: In
order for a user to successfully connect to a specific database, it not only needs to pass the check of the rules in pg_hba.conf, but also must have CONNECT permission on the database. If you want to restrict which users can connect to which databases, it is usually easier to grant/revoke CONNECT permissions than to set rules in pg_hba.conf.
Restart the database service for the configuration to take effect.
gs_ctl restart
- Table 1 Error prompt
| Problem phenomenon | Solution |
| The user does not exist or the password is wrong: FATAL: invalid username/password, login denied |
This message indicates that the user name or password is wrong, please check whether the input is wrong. |
| The connected database does not exist: FATAL: database "TESTDB" does not exist |
This message indicates that the database you are trying to connect to does not exist. Please check whether the name of the database you are connecting to is entered incorrectly. |
| No client matching record was found: FATAL: no pg_hba.conf entry for host "123.123.123.123", user "ANDYM", database "TESTDB" |
This message indicates that the server has been connected, but the server rejected the connection request because it did not find a matching record in its pg_hba.conf configuration file. Please contact the database administrator to add your information in the pg_hba.conf configuration file. |
- Task example
# TYPE DATABASE USER ADDRESS METHOD
# "local" is for Unix domain socket connections only
#表示只允许以安装时-U参数指定的用户从服务器本机进行连接
local all all trust
# IPv4 local connections:
#表示允许gaussdba用户从10.10.10.2主机上连接到GaussDB的任意数据库,使用sha256算法对密码进行加密
host all gaussdba 10.10.10.2/32 sha256
#表示允许任何用户从10.0.0.0/8网段的主机上连接到GaussDB的任意数据库,使用sha256算法对密码进行加密
hostssl all all 10.0.0.0/8 sha256
2. Configuration file reference
Table 1 Parameter description
| parameter name | description | Ranges |
| local | Indicates that this record only accepts connections through Unix domain sockets. Without this type of record, Unix domain socket connections are not allowed. Only when gsql is used to connect from the server natively and the -U parameter is not specified is the connection through a Unix domain socket. |
- |
| host | It means that this record accepts a normal TCP/IP socket connection, and also accepts a TCP/IP socket connection encrypted by SSL. | - |
| hostssl | Indicates that this record only accepts a TCP/IP socket connection encrypted by SSL. | To use SSL for a secure connection, you need to configure to apply for a digital certificate and configure related parameters. For details, see Using SSL for Secure TCP/IP Connection. |
| hostnossl | Indicates that this record only accepts a normal TCP/IP socket connection. | - |
| DATABASE | Declare the database that the record matches and allows access. | all: Indicates that the record matches all databases. sameuser: indicates that if the requested database and the requested user have the same name, it will match. samerole: Indicates that the requested user must be a member of a role with the same name as the database. The name of a specific database, or a comma-separated list of databases. Note: The "all" keyword does not match "replication", a separate record must be used to access replication. |
| USER | Declare the database users that the record matches and allow access. | all: Indicates that the record matches all users. The name of a specific database user, or a comma-separated list of users. The prefix + user role means to match any member who directly or indirectly belongs to this role. A file containing a user name can be declared by prefixing the file name with @. The list of users in the file is separated by commas or newlines. |
| ADDRESS | Specify the range of IP addresses that match the record and allow access. | It supports IPv4 and IPv6, which can be expressed in the following two forms: IP address/mask length. For example, 10.10.10.0/24 IP address subnet mask. For example, 10.10.10.0 255.255.255.0 means: the IP address given in IPv4 format will match those IPv6 connections that have the corresponding address. For example, 127.0.0.1 will match the IPv6 address::ffff:127.0.0.1 |
| METHOD | Declare the authentication method used when connecting. | GaussDB supports the following authentication methods. For detailed explanation, please refer to Table 2: trust reject md5 (not recommended) sha256 |
| OPTIONS | OPTION is a selection set for authentication, and its format is NAME = VALUE. | The available options depend on the authentication method. Note: The authentication methods supported by GaussDB do not require this parameter. |
Table 2 Authentication methods
| verification method | Description |
| trust | When this authentication mode is adopted, GaussDB only fully trusts the connection that uses gsql from the server and does not specify the -U parameter. At this time, no password is required. Trust authentication is very suitable and convenient for the local connection of a single-user workstation, and is usually not suitable for a multi-user environment. If you want to use this authentication method, you can use file system permissions to restrict access to the server's Unix domain socket file. There are two ways to do this restriction: set the unix_socket_permissions parameter and the unix_socket_group parameter. Set unix_socket_directory to place the Unix domain socket files in a properly restricted directory. Note: Setting file system permissions can only help Unix domain socket connections, it will not restrict local TCP/IP connections. To ensure local TCP/IP security, GaussDB does not allow remote connections to use the trust authentication method. |
| reject | Unconditionally refuse the connection. Often used to filter certain hosts. |
| md5 | The client is required to provide an md5 encrypted password for authentication. Caution: md5 authentication is not recommended, because md5 is an insecure encryption algorithm and poses network security risks. GaussDB retains md5 authentication and password storage to facilitate the use of third-party tools (such as TPCC evaluation tools). |
| sha256 | The client is required to provide a password encrypted by the sha256 algorithm for authentication. The password is combined with the one-way sha256 encryption of the salt (the random number sent by the server to the client) during the transmission process to enhance security. |